Vulnerabilities affect data center services commonly used by organizations and could be exploited by attackers to gain system access and perform remote code execution.
Multiple vulnerabilities in data center infrastructure management systems/power distribution units have the potential to cripple popular cloud-based services. That's according to new findings from the Trellix Advanced Research Center, which revealed four vulnerabilities in CyberPower's Data Center Infrastructure Management (DCIM) platform and five vulnerabilities in Dataprobe's iBoot Power Distribution Unit (PDU).
The vulnerabilities could be used to gain full access to these systems as well as to perform remote code execution (RCE) to create device backdoors and an entry point to the broader network, according to the researchers. They are basic, require little expertise or hacking tools, and could be executed in minutes, the team added. At the time of disclosure, Trellix said it had not discovered any malicious use of the exploits in the wild. The research into the vulnerabilities was presented at DEF CON in Las Vegas.
The data center market is seeing rapid growth as businesses turn to digital transformation and cloud services to support new working habits and operational efficiencies. In the US alone, data center demand is expected to reach 35 gigawatts (GW) by 2030, up from 17 GW in 2022, according to analysis from McKinsey & Company. However, today's data centers are a critical attack vector for cybercriminals wanting to spread malware, blackmail businesses for ransom, conduct corporate or foreign espionage, or shut down large swaths of the internet.
Remote code execution, authentication bypass, DoS among risks
CyberPower provides power protection and management systems for computer and server technologies. Its DCIM platform allows IT teams to manage, configure, and monitor the infrastructure within a data center through the cloud, serving as a single source of information and control for all devices. "These platforms are commonly used by companies managing on-premises server deployments to larger, co-located data centers - like those from major cloud providers AWS, Google Cloud, Microsoft Azure, etc.," the researchers wrote.
The four vulnerabilities Trellix found in CyberPower's DCIM are:
- CVE-2023-3264: Use of hard-coded credentials (CVSS 6.7).
- CVE-2023-3265: Improper neutralization of escape, meta, or control sequences (auth bypass, CVSS 7.2).
- CVE-2023-3266: Improperly implemented security check for standard (auth bypass, CVSS 7.5).
- CVE-2023-3267: OS command injection (authenticated remote code execution, CVSS 7.5).
Dataprobe manufactures power management products that assist businesses in monitoring and controlling their equipment. iBoot PDU allows administrators to remotely manage the power supply to their devices and equipment via a web application. Dataprobe has thousands of devices across numerous industries, including deployments in data centers, travel and transportation infrastructure, financial institutions, smart city IoT installations, and government agencies, Trellix said.
The five vulnerabilities Trellix found in Dataprobe's iBoot PDU are:
- CVE-2023-3259: Deserialization of untrusted data (auth bypass, CVSS 9.8).
- CVE-2023-3260: OS command injection (authenticated RCE, CVSS 7.2).
- CVE-2023-3261: Buffer overflow (DoS, CVSS 7.5).
- CVE-2023-3262: Use of hard-coded credentials (CVSS 6.7).
- CVE-2023-3263: Authentication bypass by alternate name (auth bypass, CVSS 7.5).
Malware at scale, digital espionage, power outages potential impacts
Attackers can exploit these types of vulnerabilities within data center deployments to launch malware at scale, carry out digital espionage, and knock out power altogether, the researchers said. Using these platforms to create a backdoor on the data center equipment provides bad actors a foothold to compromise a huge number of systems and devices. "Some data centers host thousands of servers and connect to hundreds of various business applications. Malicious attackers could slowly compromise both the data center and the business networks connected to it." Malware across such a huge scale of devices could be leveraged for massive ransomware, DDoS, or wiper attacks - potentially even more widespread than those of SuxNet, Mirai BotNet, or WannaCry, according to Trellix.
Additionally, nation-state backed and other advanced persistent threat (APT) actors could leverage these exploits to conduct cyberespionage attacks. "The 2018 concerns of spy chips in data centers would become a digital reality if spyware installed in data centers worldwide were to be leveraged for cyber espionage to inform foreign nation states of sensitive information."
Even the ability to turn the data center off by accessing such power management systems would be significant, the researchers noted. "Websites, business applications, consumer technologies, and critical infrastructure deployments all rely on these data centers to operate. A threat actor could shut that all down for days at a time with the simple "flip of a switch" in dozens of compromised data centers." Furthermore, manipulation of the power management can be used to damage the hardware devices themselves - making them far less effective, if not inoperable, they added.
Check for internet exposure, install latest firmware
Both Dataprobe and CyberPower have released fixes for the vulnerabilities with CyberPower DCIM version 2.6.9 of their PowerPanel Enterprise software and the latest 1.44.08042023 version of the Dataprobe iBoot PDU firmware. "We strongly urge all potentially impacted customers to download and install these patches immediately," Trellix said. In addition to the official patches, the researchers advised extra steps for any devices or platforms potentially exposed to zero-day exploitation by the vulnerable products.
- Ensure that PowerPanel Enterprise or iBoot PDU are not exposed to the wider internet. Each should be reachable only from within an organization's secure intranet. In the case of the iBoot PDU, Trellix suggested disabling remote access via Dataprobe's cloud service as an added precaution.
- Modify the passwords associated with all user accounts and revoke any sensitive information stored on both appliances that may have been leaked.
- Update to the latest version of PowerPanel Enterprise or install the latest firmware for the iBoot PDU and subscribe to the relevant vendor's security update notifications.